Hi there,

first I must say that NOD32 especially the v2 version is a good and fast antivirus scanner with a high ability (potential).
Greetings to the coders and to eset, congratulation.
But... ;)

When I start the attached file "eicar.html" NOD32 doesn't warn me or stop the script(s).
I think that is bad, because it seem to be NOD32 doesn't scan scripts...
Thats only a test virus script, but when there is a dangerous script in it, you lose!
(the js says that script checker doesn't check the second script..script checker is from Kaspersky AV and this file, modified by me, too. And the script(s) are blocked by KAV script checker!)
I have the german v2 of NOD32.
Please add an "script checker" or something simular with heuristik or advanced heuristik..
The KAV script checker use heuristik to detect such viruses, etc.. put into html (he use not the signatur files..)

Second, when I start the NOD32 on-demand scanner with advanced heuristik, always I get a message that a NewHeur_PE Virus probably found in RAM (work space/Arbeitsspeicher, I have the german version of NOD32v2).
This virus message doesn't show up, when I scan without advanced heuristik,
but I want scan with that sometime, also please code an update for the advanced heuristik component.
Ooooh "cool" there are now another error.., I want copy the scanner log from NOD32 Control Center, but when I rightclick on the scanner log and click on copy selected (markiertes kopieren) or copy all (alles kopieren), then the NOD32 Control Center freeze and I can only close it with the task manager or in the taskbar rightclick and then close.
Then comes the windows popup, that the application is freeze and I must click on terminate now!
(nod32kui.exe doesn't response)
Only export as file function correct...

And there is another big problem:
NO SELF PROTECTION!!! Very very bad! :-\
NOD32 runs 2 apps in the background, the nod32kui.exe and the nod32krn.exe..
But these tasks don't protect each other...
I test it, because maleware and so on often terminate antivirus program tasks and sometimes even delete it...
And the same here... :(
I kill the task nod32krn.exe and then I delete it...and nothing happens..no warning..
NOTHING! nod32kui.exe stills run at the taskbar and the symbol still indicates that all right and all function normal.
------> very BAD.

Sorry, but a good AV have to protect itself from unloading and deleting...

And then I'm surprised about the memory usage..
Why both tasks use up to 25-26 MB of RAM(12-13 MB each) ???
I test to reduce the mem usage with the APM from DiamondCS and then only 5-6mb are used!
nod32kui.exe 3 mb and nod32krn.exe 2-3 mb...
Thats comical...lol
Please bring an update of NOD32v2 that have better memory usage/memory control, because as soon as I reduce the mem use with APM (use less mem) it worked, too!!
And after hours the mem usage of NOD32 isn't far more..


Also some suggestions:
Please implement a user custom option, that I can enter a time, the splash screen show up at startup, because I think thats a little too long :P
And please implement an option, that I can decide, whether the AMON scans packed/encrypted files (not archives) or not...!!!
Archives not soo important and reduce the performance and scan speed,
but packed/encrypted files are very very important!

AND I miss an option to create a boot disk, better an boot CD like AVK11/12 (AntiVirenKit 11/12 von Gdata) it does. (b.t.w. the DOS NOD32v2 version is not available..!)
The bood CD from AVK have full access to all drives and NTFS, too!
Such an utility are very useful and are missed bye the NOD32v2(and v1) AntiVirus version.
Sites like www.wintotal.de makes tests and says the same..
Test v2: http://www.wintotal.de/Tests/nod32v2/nod32v2.php

thx so much

bye

iNsuRRecTioN

PS: I ren the eicar.html in eicar.html.txt because of the board limitations..

Hi iNsuRRecTioN,

The file you attached does not contain any virus-like code. Because it is interpreted by a web browser, all it does, is write a text on screen. Nothing else. (EICAR is a DOS program interpreted by cmd.exe or command.com)

>NewHeur_PE Virus probably found in RAM

Have you scanned all your HD drives?

- I think the problem with the freezing has been fixed, but I'm not sure
- try to download the latest version

>But these tasks don't protect each other...

If there will be an existing virus what will do so, it will be added to virus base, and from that day NOD will be able to detect the virus and will deny access to the file (before it can treminate anything).

>Why both tasks use up to 25-26 MB of RAM(12-13 MB each)

On my system it's NOD32KRN.EXE 2MB RAM/7MB SWAP (VM), NOD32KUI.EXE 6MB RAM/2MB SWAP (VM).
If you want to reduce these numbers, just turn off what you don't need (graphics mode,emon,imon etc.)

>Please implement a user custom option, that I can enter a time, the splash screen show up at startup, because I think thats a little too long

- so turn it off ! Control Center->NOD32 System Tools->Setup->Do not disply splash screen at startup (checkbox)

>(b.t.w. the DOS NOD32v2 version is not available..!)

I'm not sure, but I think the DOS version is the last thing they are thinking of...

>AND I miss an option to create a boot disk, better an boot CD like AVK11/12 (AntiVirenKit 11/12 von Gdata) it does.

- and what OS is on that CD? NTFS R/W access could be with Linux, but
what about those users, who never worked with it?

If you have more questions, just ask. I think, Jan will give you more answers.

regards,

Vigy

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]

- and what OS is on that CD? NTFS R/W access could be with Linux, but
what about those users, who never worked with it?
Vigy
" }-

That's right, it does boot w/Linux.


INsUrrecTioN:

NOD32 doesn't use that much memory on this box. Might want to tweak a bit. ;)

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
Hi iNsuRRecTioN,

The file you attached does not contain any virus-like code. Because it is interpreted by a web browser, all it does, is write a text on screen. Nothing else. (EICAR is a DOS program interpreted by cmd.exe or command.com)
" }-

Yes, I know, but that is only a test string and when NOD32 don't detect this,
he detect non other script viruses and so on...

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>NewHeur_PE Virus probably found in RAM

Have you scanned all your HD drives?

- I think the problem with the freezing has been fixed, but I'm not sure
- try to download the latest version
" }-

There is no freeze problem, while scanning and I have the latest version!

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>But these tasks don't protect each other...

If there will be an existing virus what will do so, it will be added to virus base, and from that day NOD will be able to detect the virus and will deny access to the file (before it can treminate anything).
" }-

There are many virus, trojans, and so on, that search for antivirus and will kill that in mem.
Also there is a need for that and eset can implement protection functions.
It is easy to implement such a routine, that control the other task or control itself and load again itself into memory or load the other task again into memory!
But when I must wait until analyse this virus, added it to virus base and bring it public,
it is not a so good AV app.

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>Why both tasks use up to 25-26 MB of RAM(12-13 MB each)

On my system it's NOD32KRN.EXE 2MB RAM/7MB SWAP (VM), NOD32KUI.EXE 6MB RAM/2MB SWAP (VM).
If you want to reduce these numbers, just turn off what you don't need (graphics mode,emon,imon etc.)
" }-

no, have nothing to do with my question.
1. I don't want to turn the graphic interface off
and 2. emon is by default of (because no IMAP)
and imon must be activatet (winsock scanner!)
3. I wrote that it can handle it better with the mem usage and I can reduce the mem usage with no problems...also there should optimize there mem handling, controlling and usage.

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>Please implement a user custom option, that I can enter a time, the splash screen show up at startup, because I think thats a little too long

- so turn it off ! Control Center->NOD32 System Tools->Setup->Do not disply splash screen at startup (checkbox)
" }-

I know about the turn off option, but I want see the splash, but shorter time, do you understand??! :D

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>(b.t.w. the DOS NOD32v2 version is not available..!)

I'm not sure, but I think the DOS version is the last thing they are thinking of...
" }-

But there are the only chance to scan and clean the system without windows,
when an malware unable to stop, clean, delete or what ever under windows
and when the mbr or so infected by an virus!

-{ Quote: " quoting: Vigy link=board=39;threadid=13382;start=0#msg85494 date=1062783162]
>AND I miss an option to create a boot disk, better an boot CD like AVK11/12 (AntiVirenKit 11/12 von Gdata) it does.

- and what OS is on that CD? NTFS R/W access could be with Linux, but
what about those users, who never worked with it?
" }-

Test it by yourself, load the testversion and then you can create such a boot disk with the newest virus base and engine updates..

So and now please optimize, not discuss ;D

thx

iNsuRRecTioN

I recall that in Version 1 there was an option that disabled the process from being unloaded unless you specify the password...but it's missing in Version 2...too bad.

Yes a component protection is a good idea especially with the Anti-AntiVirus programs out there. Even BoClean protects their own components.

I just tried the scenario you suggest and here's what I found (Win2K, 2.000.6 engine, 20030911 defs):

1. Logged in as local administrator
2. Was able to kill the NOD32KUI process in Task Manager
3. COULD NOT kill the NOD32KRN process, even as admin - Access denied
4. I COULD copy / rename / move EICAR.COM at will without any problems
5. Could NOT RUN EICAR.COM, got "Access Denied" message

So, it looks like you can kill the GUI, but not the actual AMON process. It's still out there doing its job, albeit a a reduced level of efficiency. Once NOD32KUI was restarted, operation was back to normal.

Yeah, you can kill the nod32kui.exe because it runs as an application. But nod32krn.exe runs as a service, so when you want to shutdown it, you must go thru control panel-admin tool-services (or something like that). You cannot kill it from the Task Manager.

You can do with the infected file what you want - what you checked/unchecked in amon settings (open,execute,...). When you terminated the NOD32kui.exe you couldn't control the kernel service (nod32krn.exe)

Rgds

Vigy

hi,

thats my info:

NOD32 Systeminformation
Version:***1.510 (20030916)
Datum:***Dienstag, 16. September 2003
Antivirus-Datenbank Build:***3921

Information über zusätzliche Komponenten
Modul Advanced Heuristik, Version:***1.003 (20030805)
Modul Advanced Heuristik, Build:***1032
Modul Archivunterstützung, Version:***1.003 (20030903)
Modul Archivunterstützung, Build:***1056

Information über installierte Komponenten
NOD32 für Windows NT/2000/XP - Basismodul
Version:***2.000.6
NOD32 für Windows NT/2000/XP - Internetsupport
Version:***2.000.6
NOD32 für Windows NT/2000/XP - Standardmodul
Version:***2.000.6

Betriebssystem Info
Plattform:***Windows XP
Version:***5.1.2600 Service Pack 1
Version Common Control Komponenten:***5.82.2800
RAM:***512 MB
Prozessor:***AMD Athlon(tm) Processor (1477 MHz)


And I can kill both processes, nod32kui.exe and nod32krn.exe.
No access denied or anything!

And when the nod32kui.exe is not running, the amon scanner and so on, don't work correctly!

solong...bad and bye >:(

Please fix and optimize...

thx

bye

iNsuRRecTioN

How did you kill nod32krn.exe (without going to Services -> Stop...)?

@DiGi, yes simple taskmanager and then kill task...

no access denied or anything else!

bye

iNsuRRecTioN

I know that it is not possible to kill NOD32KRN.EXE by the standard windows task manager. You can kill only NOD32KUI.EXE this way.

The only way to unload NOD32KRN.EXE file from the memory is via SERVICES and Win9X process handling tools (PrcView.exe)

Vigy

Some good recommendations indeed.
Maybe worth to have a look a t it.

Btw., no answers to my wishlist ... is there any possibility to get an answer, if this will be available in futere release ?

- option to enable Avanced Heuristic with the OnDemand Scanner and AMON
- option to scan outgoing mails (IMON)
- option to enable scanning in archives / UPX / otherwise packed files with AMON

ww

@ Vigi and sorry! not DiGi: It is possible, simple strg+alt+del then taskmanager and you can kill both nod32krn.exe and nod32kui.exe without problems or message!

AND YES, it is loaded as an service with windows!

I use windows xp pro sp1 with all updates..

so long and I'm right see at thread: http://www.wilderssecurity.com/showthread.php?t=14496

also mods and coders and eset, please fix, enhanced and add new options to nod32v2 ::)

thx

bye

iNsuRRecTioN

I recently read an item from a mathematician saying with all the combinations of firmware, XP patches, and XP updates, he could create more than 1.5 million XP environments. They would all be "Windows XP" computers, but no 2 would be the same.

Like many of you guys, I can't kill the NOD32KRN.EXE service from the task manager (Administrator/XP Pro SP1 + all MS updates) but that is on MY computer. iNsuRRecTioN's computer might behave differently. If he can kill NOD32KRN.EXE on HIS computer, it should be investigated.

yes, it have to be investigated!

I have german windows xp pro sp1 with all updates available, the same to IE 6.0 SP1.
And NOD32 V2 Version German as show above..

And I log on as Administrator with Administrator rights..

bye

iNsuRRecTioN

Hello all,

I can kill both the krn and ui from the task manager... on win xp pro with all patches....

Regards,
Kent

Hello there,

any changes yet???

Here's another variation for those running Win2K or WinXP: Click Start > Run, or open a command window, and submit this command line:

net stop "NOD32 Kernel Service"

The NOD32 kernel (nod32krn.exe) goes bye-bye.

Try the same "net stop" thing with Kaspersky. You'll get a big middle finger when you do.

To make matters even more pathetic, I find that I can't get NOD32's resident protection enabled again unless I reboot (that is, no amount of screwing around in the "NOD32 Control Center" can bring it up again, and starting nod32krn.exe doesn't help, either). This is because of an issue with the filter driver, amon.sys. It gets stuck in "stopping" mode, and can't be reset until after a reboot.

I have also found that I can kill nod32krn.exe with this command-line utility (http://www.beyondlogic.org/consulting/processutil/processutil.htm).

But hey, it does win lots of VB100 awards. ::)

IMO, if you don't use a sandbox or other utilities that can stop such commands, you deserve to have the process stopped. There are ways to screw permissions and terminate protected processes anyway.. :-X

Yes, please make NOD32 bloatware like KAV & NAV.. ::)

Not.

-{ Quote: " quoting: tax_troll link=board=39;threadid=13382;start=15#msg101984 date=1069061286]

Yes, please make NOD32 bloatware like KAV & NAV.. ::)

Not.
" }-

Agreed. I'd also have to question why anyone using XP pro is routinely running as an administrator account anyway. I always log on as a user with limited privileges unless I need admin rights for a specific task - even then, some can be completed by running as another user from within the limited account.

Surely always running under admin privileges defeats the object of using an NT/XP system in the first place, and is just asking for trouble?

-{ Quote: " quoting: tax_troll link=board=39;threadid=13382;start=15#msg101984 date=1069061286]
IMO, if you don't use a sandbox or other utilities that can stop such commands, you deserve to have the process stopped. There are ways to screw permissions and terminate protected processes anyway.. :-X

Yes, please make NOD32 bloatware like KAV & NAV.. ::)

Not.
" }-

Think about the logic you've used here... Complaining that a small change to NOD32 will make it "bloatware" (which it wouldn't anyway), and in the same breath advocating the use of sandboxes or "other utilities". So it is not desirable to add a sensible protection feature to NOD32, because that would be "bloat", but it makes sense to turn around and install other crap on the system?

And you know, "deserve" is a funny word, and I don't care for the way you've used it here. You sound like a Microsoftie... Everyone who didn't install the Blaster patch because they were a clueless newbie, and everyone who thought they installed it but got bitten by a Windows Update bug, and everyone who installed it and had problems with the patch and had to remove it, all "deserved" to get hit by the Blaster worm. Everyone who doesn't get a flu shot "deserves" to get sick. Everyone who doesn't buy a 4x4 "deserves" to drive into a tree when it snows. Perhaps you need a dictionary.

Yes, it is possible to get around protection mechanisms. And there are also ways around sandboxes and "other utilities" also. No security is perfect. Congratulations for discovering and stating the obvious.

Good points. ::)

Not.

If I may say, MS Blaster is a poor example, since a basic security measure like a firewall (even the often criticized XP ICF) would have blocked the means of infection, regardless if the patch was present or didn't take. ;) But that's another subject.

Ooohhh look, the KAV fanboys from dslreport forums are here. Yipee! ::)

-{ Quote: " quoting: dos link=board=39;threadid=13382;start=15#msg102321 date=1069162721]
Ooohhh look, the KAV fanboys from dslreport forums are here. Yipee! ::)
" }-

Don't know about that - but if they are, they are welcome. Provided they keep in mind this is the NOD32 forum, and issues should be focussed on NOD32 as a rule. Discussing KAV can be done over on the other antiviruses forum.

regards.

paul

-{ Quote: " quoting: dos link=board=39;threadid=13382;start=15#msg102321 date=1069162721]
Ooohhh look, the KAV fanboys from dslreport forums are here. Yipee! ::)
" }-

Paul is right; speaking only for myself (and I assume I'm the one you were going after), I'm no KAV "fanboy". Saying "brand A has a problem, which brand B does not" does not make one a "fanboy" of brand B. Give me a break.

Actually, NOD32, not KAV, is my primary, real-time AV utility. Just because I point out (what I perceive as) a deficiency in the product doesn't mean I'm trying to pull it down, much less prop up a competitor. (And believe me I have plenty of criticism for KAV, too. In fact, I don't even find it usable as a real-time scanner.)

I think that rather than being sarcastic, dismissive, and indignant in response, reasonable negative comments regarding NOD32 should be welcomed. After all, if there's something wrong, wouldn't you want to know about it? And if there isn't, then the criticisms will be shot down.

Regarding the termination of the various NOD32 applications... We all know that if a user with sufficient privileges is logged in (not necessarily an Administrator, either), then it is irretrievably possible to kill applications. What I'm saying is, don't make it as easy as doing a "net stop"! And if some other sort of self-protection feature can feasibly be added to that, all to the good.

-{ Quote: " quoting: sig link=board=39;threadid=13382;start=15#msg102279 date=1069149701]
If I may say, MS Blaster is a poor example, since a basic security measure like a firewall (even the often criticized XP ICF) would have blocked the means of infection, regardless if the patch was present or didn't take. ;) But that's another subject." }-

Yes, it's a different subject, but I think MS Blaster was a good example. The WinXP firewall isn't always enabled by default, and plenty of WinXP users have (or "had") no clue what a "firewall" is.

-{ Quote: "Vigy wrote---"The file you attached does not contain any virus-like code. Because it is interpreted by a web browser, all it does, is write a text on screen. Nothing else. (EICAR is a DOS program interpreted by cmd.exe or command.com)"
" }-


Actually that file Insurrection enclosed does indeed contain the eicar test file. I loaded my old anti virus program (which I will not name) and I clicked on the file he attached and it caught the eicar right away and quarantined it.

Does this mean that for those of us who use Nod32 would have been infected if this was a real virus? I am confused.
Is this a real problem?

-{ Quote: " can kill both the krn and ui from the task manager..." }-

Same here - I have Win2000 + SP4 + latest updates.

BTW, I'm running on administrator level, but that has nothing to do with the problem since other services such as my anti-Trojan kernel or firewall kernel CANNOT be shut down this way, even as an administrator. Only the nod32krn service can be terminated via the task manager (but it can be restarted using the SERVICES manager).

There is no explanation to this, for even those who designed the software would not be able to provide any, so I'm not expecting anyone to be able to shed light on this complete mystery. I just wanted to let everyone know that this issue is far from being an isolated case. :'(

-{ Quote: " quoting: puff-m-d link=board=39;threadid=13382;start=15#msg92396 date=1065647549]
... I can kill both the krn and ui from the task manager... " }-
So can I (Windows ME): http://www.wilderssecurity.com/showthread.php?t=17122

If you're running as an Admin, I don't see why process killing would be a valid concern of yours. Any malicious code could open up a command prompt and use "net stop" to disable Nod32. I don't know of any program that can protect itself from Service Manager.

Another reason to use a sandbox..

-{ Quote: "I don't know of any program that can protect itself from Service Manager." }-

Fortunately KAV and Sygate are the two I am aware of. If you try to net stop them, you get an error message that the process can't be terminated (access denied). So it is possible, though I agree with the point that if a malicious code is already running, this is more of a second/third level defense. Definitely it makes job for virus writers harder, because it's not enough for them to just create a trojandropper with ability to terminate AVs and FWs and then download a known file.

-{ Quote: " quoting: Tablet link=board=39;threadid=13382;start=15#msg106388 date=1070452399]
-{ Quote: "I don't know of any program that can protect itself from Service Manager." }-

... If you try to net stop them, you get an error message that the process can't be terminated (access denied). So it is possible, ..." }-
Wouldn't it be great if this were possible for NOD32, too? ;)

Process Guard by DCS. I use it for this and other things as well.

-{ Quote: " quoting: Eliot link=board=39;threadid=13382;start=30#msg106632 date=1070501347]
Process Guard by DCS. I use it for this and other things as well.
" }-
This means that my old computer would have to cope with yet another app just to make sure that the NOD processes are not terminated by malware. Wouldn't it be easier if NOD32 itself took care of its running processes?

Anyway, I'm convinced that Eset will soon make it really difficult for script kiddies to terminate NOD32. ;)